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APPELLANT^S BRIEF 



Commissioner for Patents 

P.O. Box 1450, 

Alexandria, Virginia 22313-1450 
Sir: 

This is the Applicants' appeal from the final Office Action, mailed October 4, 
2007 (Paper No. 20070927). 

A two-month extension of time is requested for this response. 

Real Party in Interest 

Arbor Networks, Inc. is the real party in interest. 

Related Appeals and Interferences 

There are no related appeals or interferences. 

Status of Claims 

Claims 1-32, 34 and 35 are pending in this application. Claims 1-32, 34 and 35 

are rejected. The rejection of claims 1-32, 34 and 35 is being hereby appealed. 
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Status of Amendments 

All amendments have been entered. There were no post final amendments or 

proposed amendments. 

Summary of Claimed Subject Matter 

Please note that in the following discussion, reference is made to the instant 
application as published: US Pat. Publ. No. US 2005/00050 17A1. 

Claim 1 concems a system for controlling communications over a computer 
network. See US 2005/0005017A1 at Fig. 1 and paragraph [0034]. The system 
comprises: 

access control devices for the computer network that control communications 
between compartments of the computer network, see US 2005/00050 17A1 
at Fig. 1, reference number 1 14 and paragraph [0035]; 

attack detection system for determining whether the computer network may be 
under attack, see US 2005/0005017A1 at Fig. 1, reference number 1 12 
and paragraph [0035]; and 

a control plane for instructing the access control devices to allow network 
communications between the compartments of the computer network 
based on a usage model describing legitimate network communications 
while restricting other network communications between the 
compartments, in response to attack, see US 2005/00050 17A1 at Fig. 1, 
reference CP and paragraph [0036]. 

Claim 21 concems a method for responding to an attack on a computer network. 
See generally US 2005/00050 17A1 at Fig. 5. The method comprises: 

generating a usage model for the computer network, see US 2005/00050 17A1 

at Fig. 3 reference 320 and paragraph [0067]; 
determining whether the computer network may be under attack, see US 

2005/00050 17A1 at Fig. 4A and 4B and paragraph [0072]; 
in response to detecting attack, determining characteristics of the attack, see 

US 2005/00050 17A1 at Fig. 4A reference 418 and paragraph [0080]; and 
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generating instructions to access control devices compartmentalizing the 

computer network in response to the characteristics of the attack, wherein 
the step of generating instructions to the access control devices comprises 
formulating pass and/or blocking rules for the access control devices in 
response to protocol characteristics and/or port characteristic of the attack, 
see US 2005/00050 17A1 at Fig. 5 reference 524 and paragraphs [0105] 
and[114]-[117]; 

issuing the instructions to the access control device which then 

compartmentalize the computer network by implementing the pass and/or 
blocking rules, see US 2005/0005017A1 at Fig. 5 reference 530 and 
paragraphs [125]-[131]. 

Claim 35 concems a system for controlling communications over a computer 
network. See US 2005/0005017A1 at Fig. 1 and paragraph [0034]. The system 
comprises: 

access control devices for the computer network that control communications 
between compartments of the computer network, see US 2005/00050 17A1 
at Fig. 1, reference number 1 14 and paragraph [0035]; 

attack detection system for determining whether the computer network may be 
under attack, see US 2005/0005017A1 at Fig. 1, reference number 1 12 
and paragraph [0035]; and 

a control plane for instructing the access control devices to only allow network 
communications between the host computers in different compartments of 
the computer network based on a usage model describing legitimate 
network communications while restricting all other network 
communications between the host computers, in response to attack, see 
US 2005/00050 17A1 at Fig. 1, reference CP and paragraph [0036]. 
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Grounds of Rejection to be Reviewed on Appeal 

I. Whether claims 1-20 are unpatentable under 35 U.S.C. 101 over claims 1-20 of 
copending Application No. 10/887,213. 

II. Whether claims 1-10, 12-14, and 18 are unpatentable under 35 U.S.C. 103(a) over 
Copeland (US PgPub 2002/0144156). 

III. Whether claims 11, 16-17, 19-31 and 34 are unpatentable under 35 U.S.C. 103(a) 
over Copeland (US PgPub 2002/0144156) and further in view of Yadav (US PgPub 
2003/0149888). 

IV. Whether claim 15 is unpatentable under 35 U.S.C. 103(a) over Copeland (US 
PgPub 2002/0144156) and further in view of Day (US Patent 7,017,186). 

Argument 

Claims 1-20 are patentable over claims 1-20 of copending Application No. 10/887.213 

A "same invention" rejection under 35 U.S.C. 101 requires that both 

applications/patents claim the same invention. MPEP at page 800-19, Rev. 5, Aug. 2006, 
provides a test: 

A feliable test for double pateotiiig mider 35 U.S.C, 
101 is \diethei^ a claim in tiie applicatioii cmM ba lit- 
emily inirmgad wiiioiit Mtemliy iiifringiiig a coixe- 
spoiiding claim in the patent, i>i m Fbgel. 422 R2cl 
438, 164 USPQ 619 (CCEA 1970). Is tbere an embod- 
ioieiit of fee iiiYeiition tiial falls withm the scope of 
one ckim, but not the ofeer? If them is siidb, an, 

The present claims describe a different invention from those in the 10/887,213 
application. For example, extracting or monitoring authentication events is mentioned in 

all of the pending claims of the 10/887,213 application. In contrast, authentication is not 
mentioned in any of the claims of the pending application. Thus, there is an embodiment. 
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i.e., a system or method that does not provide for authentication event 
extraction/monitoring, that is within the scope of the claims of the present application but 
outside the scope of the claims of the 10/887,213 application. 

Thus, the present application does not claim the "same invention" as the 
10/887,213 application. 

Claims 1-10. 12-14, and 18 are patentable over Copeland and claims IL 16-17. 19-31 
and 34 are patentable over Copeland in view of Yadav 

Embodiments of the present invention are directed to protecting a 
communications network, such a computer network, from attack, such as from self- 
propagating code or other breaches to security policies. The network is divided into 
"compartments" that are separated by access control devices, such as firewalls. The 
access control devices are then used to stop security breaches such as the spread of self- 
propagating attack code, the "zero-day" worms, for example. However, the access 
control devices are configured such that upon activation, legitimate network services will 
not be jeopardized. 

The invention capitalizes on the insight that much of the problem with zero-day 
worms and other attacks originates from network resources that are not in normal use. By 
blocking traffic that is atypical for a particular network (for instance: database 
connections between two desktop systems that never normally speak a database protocol) 
the system is able to generate blocking actions that stifle the majority of attacks. On the 
other hand, the system is much less likely to disrupt business processes, since access 
control devices will still permit network communications that exhibit behavior that are 
characteristic of normal communication patterns on the network, i.e., behavior 
characterized by pass rules that are also deployed to the access control devices. 

The system described in the Copeland has some similarities to the system of the 
instant application. Copeland describes, for example, port profiling and trying to assess 
when computers are under attack. Copeland further teaches to drop certain packets from 
certain host computers. However, what the system of Copeland lacks is something akin 



5 of 19 



7 July 2008 

Application No.: 10/684,964 
Attorney Docket No.: 0016.001 1 

to the claimed: 1) multiple access control devices; and 2) a control plane, which instructs 
the access control devices to allow network communications between the compartments 
of the computer network based on a usage model describing legitimate network 
communications . 

-Independent claims L 2L and 35 

The Examiner bears the initial burden of establishing a prima facie case. In re 
Oetiker, 977 F.2d 1443, 1445 (Fed. Cir. 1992). To establish a prima facie case of 
obviousness, all the claim features must be taught by the prior art. In re Royka, 490 F.2d 
981, 985 (CCPA 1974). If examination at the initial stage does not produce a prima facie 
case of unpatentability, then without more the applicant is entitled to a grant of the patent. 
Oetiker, 977 F.2d at 1445. 

Here, the independent claims contain two features that are not shown or suggested 
by the applied references, thus necessitating withdrawal of the rejections. 

First, each of the independent claims requires access control devices that control 
communications between compartments of the computer network, claim 1; control 

devices compartmentalizing the computer network in response to the characteristics of 
the attack, claim 2 1 , and access control devices to only allow network communications 
between the host computers in different compartments of the computer network, claim 
35. 

The pending Office Action concedes that this feature is not taught by the applied 
reference. For example at page 4, last paragraph, the pending Office Action provides: 

f. The exanimetf mim that CopetemI doesn't. exp!^c% d^cfose miiJfipJe 
access coniro! devicas thM mniml mmmml^Biiom between a^^^>art:^1m^^fs of 

the network, however, a^^ shown ftQ.2 the network is desalbed simple terms, 
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Nevertheless, the pending Office Action argues that the feature of using access 
control device to compartmentalize the network would have been obvious. The basis for 
this assertion is set forth on page 5 of the pending Office Action: 

!t woxM have been obvious fm one of orrfh^ry mi m t\w art to vmw the inmm 
network as comaining nmm than 2 computem and neces^adiy mom than one 
n^t^M^^rfc devfee- consteJ^g aco^e- to the mulMud^ of compyt^sr thus it woyid 
have been oNfou$ that the plural network ctevio^^ necessajliy comf>?^?innar^tsi!^^ 
the network and each would m^^ntain a separate port profHlng mgkm 

Network compartmentalization, as claimed, would not have been obvious fi'om 
the applied references since such a configuration is : 1) contrary to the set up shown in 
the applied references; and 2) contrary to the typical way in which such devices are 
deployed. In more detail, access control devices, or firewalls, are typically deployed at 
network edges not for the claimed compartmentalization. Copeland's Fig. 1 shows its 
port profiling engine deployed in the typical fashion at a network edge between the server 
130 and the intemet 199. This typical mode of deployment is consistent with the 
description in the present application. For example, paragraph [0003] provides: 

p^i^r^. 'Timm NIDS mc deployed .at the edges of eiineipfise 
oelworks^ io iiisulaiig; ibe rs^twasfe from imau^ht>i'i:z^d iiccess; 
torn third party or injiblfc rmtwofe, ?st)<:h as. Ite imetl^ei. 

In short, there is nothing to support the assertion that the use of multiple access 
control devices to compartmentalize the network would have been obvious. Moreover, 
this theme of compartmentalization has been consistently described as an important 
feature of the present invention as expressed in paragraph [0012] of US 
2005/0005017A1: 
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[061.2J Ttm pMrnni ur^^nmm is diteoitd i£> ^ lechiskpi^j; for 

outwork* from attack* swh as from &di»propagati:«g cod^s or 
other breaches to Micuiity polkks. The oetwork is divided 
mi€i ''ctfmparlm^^is-" loBi are sepi^rato:! by access cQoiml 
devkess^ mch m ii^w^lh. ^Tlie aocs^&s ccsntrol devices ^u^j 
tlt«?ja mcA to the ^veasrity btcBi^ mich m the ^prmd of 
§5^^lf'propaga.ting Ulmk lim ''zmonhy'" worms, for 
emmpk. ilomver, tkc acccsj* control devices arc coofig- 

Thus, for this reason the present claimed invention is distinguishable of the 

applied references. 

The present claimed invention is also distinguishable for having a usage model 
defining communications that are allowed by the access control device while restricting 
other communications during an attack. Specifically claim 1 requires: "a control plane 
for instructing the access control devices to allow network communications between the 
compartments of the computer network based on a usage model describing legitimate 
network communications while restricting other network communications between the 
compartments, in response to attack"; and claim 35 requires "a control plane for 
instructing the access control devices to only allow network communications between the 
host computers in different compartments of the computer network based on a usage 
model describing legitimate network communications while restricting all other network 
communications between the host computers". 

In short, the present claimed invention responds to an attack by causing access 
control devices, such as firewalls, allow communications during an attack, not simply 
block certain communications. This distinguishes the invention from the applied 
references. 

In more detail, Copeland describes a system that seems to issue "alarms." For 
example cited paragraph [0066] from the Copeland provides: 
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[0066] Once iht port profilt; k acairate, Uie port profiliog 
engine 155 compares the two lism to detect operations that 
are ''Qui of Profile'' m6 pravide an iUarm to the 5^y?stem 
o]?erator. Out of Pix^^tile operation can indicate the 
operadoii t^f a Trojao Horse progr^tm on Ihe host-, or the 
existence of a non-approved network application ihhl has 



Similarly cited paragraph [0166] from the Copeland application only provides that 
packets from a compromised host are dropped: 

[0166] The alert manager 630 loote for hosts wk)se 
network tisagi^ indicates Out of Profile network services* The 
new alarm conditions can cause imn-jcdiate operator notiii- 
calion by an operator ootilicaUan process 642. 'llicse con- 
ditions cm be highlighted on ihc nmr i.nicr&cc, and cause. 
SNMP trap mesivages to sent to a network motiitor such 
as. HP Opeiiview, and/or eniail ines^sages to the network 
adniioistiator which in ium oiay cause messages to be scot 
to beeper^i or cell phones. Messages? cmi also be sent to cause 
automated devices ^'tich as a .firewall manager 644 to drop 
packets going to or Itom m ofiendiog host, ii will ihm be 
appreciated that the present invention iulvantagcously oper- 
ates in conjunction with firewalls and other .aetwor'k secBrity 
devices^ and proce^es to provide additional piotectioii tbr an 
ejTtiiy"\s computer network and computer resources^ 

Thus functionality, described in Copeland, is prototypical firewall behavior: 
block communications deemed malicious by the system. 

The problem with this approach, however, is that it cannot guarantee that the 

critical communications required to be carried by the network will continue to take place. 
As described in the example of paragraph [001 1] of present application US 
2005/0005017A1: 
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Olllll] The pmblcm with the exiting for defc:rtdi- 

ing i^gdnsf ^iJacks ^ch m from womis ii> thai ifefe is no 
mediJiiiism Ibr ii^^^urisig fha? bbckittg ^tciios^s. i^eii by tl^ 
firewrik will ooi bkmk servk^i^ Ihsi s^rt^ in kgitimak; wm^ on 

Ci^imns^ m the mmt of m acto^l or siisp£;-cied .atttak. Con- 
s^jqoemly, *ome ia^tiUJiiari^i ih^x hmc missiion-cruic.^! com- 
mtinkaiion^^ <)v<^^ IhiiJr ri-etwofe wfll make comjpmmiijye?^ m 
^'S[,^<:Uvm^s^ of tte defeat ibsit moi^ni^il sigstmsi m 
attack IK ortfc-r to ensure"! that ihesse im|x>i1aiit c^smmunica- 
tiaRS s-ne- not impcicted by the tUtack responsse. 

To address this problem, the claimed invention requires specific functionality: 
allowing communications between network compartments based on a usage model. This 
is neither shown nor suggested by the applied reference. Moreover, this difference 
provides clear performance advantages by ensuring that mission-critical communications 
would not be blocked in an attack, contrary to the operation of the applied reference. 

-Dependent claims 2-4 

Claim 2 describes that the network that is compartmentalized is an enterprise 
network or service provider or public network. Thus, these claims further highlight the 
distinction drawn previously conceming the lack of teaching of network 

compartmentalization in the applied reference. 

The applied references do not suggest compartmentalization of these specific 
types of networks. Moreover, the pending Office Action does not argue or explain why it 
would have been obvious to deploy access control devices to compartmentalize such 
networks, as claimed. 

-Dependent claims 20 and 34 

Dependent claims 20 and 34 specify how the blocking rules are generated in 
contrast to how the pass rules are generated. In more detail, claim 20 requires that "the 
pass rules are generated from the usage model and the blocking rules are generated from 
the protocol information and/or port information characteristic of the attack." 



10 of 19 



7 July 2008 

Application No.: 10/684,964 
Attorney Docket No.: 0016.001 1 

Nothing in tlie applied references suggests this way of generating pass rules as 
opposed to blocking rules. As explained previously, neither of the references teaches the 
notion of using "pass rules". And certainly, neither of the applied references teaches how 
such rules should be generated. 

Conclusion 

As explained above, the present claimed invention requires features neither shown 
nor suggested by the applied references: compartmentalization and issuance of pass rules. 
And, these features address the problem of ensuring that attack responses to not block 
legitimate network communications — ^problems which are not contemplated by the 
applied references. 

For the foregoing reasons, Applicants believe that the pending rejections should 
be withdrawn, and that the present application should be passed to issue. Should any 
questions arise, please contact the undersigned. 

Respectfully submitted, 
Houston Eliseeva LLP 

B y /grant houston/ 

J. Grant Houston 
Registration No.: 35,900 
4 Militia Drive, Ste. 4 
Lexington, MA 02421 
Tel.: 781-863-9991 
Fax: 781-863-9931 

Date: July 7, 2008 
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Claims Appendix 

1. (Previously presented) A system for controlling communications over a 
computer network, the system comprising: 

access control devices for the computer network that control communications 

between compartments of the computer network; 
attack detection system for determining whether the computer network may be 

under attack; and 

a control plane for instructing the access control devices to allow network 
communications between the compartments of the computer network 
based on a usage model describing legitimate network communications 
while restricting other network communications between the 
compartments, in response to attack. 

2. (Original) A system as claimed in claim 1, wherein the computer network is 
an enterprise network. 

3. (Original) A system as claimed in claim 1, wherein the computer network is a 
service provider network. 

4. (Original) A system as claimed in claim 1, wherein the computer network is a 
public network. 

5. (Original) A system as claimed in claim 1, wherein the access control devices 
compartmentalize the computer network into separate sub-networks of network 
devices. 

6. (Original) A system as claimed in claim 1, wherein the access control devices 
separate host computers from the computer network. 

7. (Original) A system as claimed in claim 1, further comprising a network 
modeling system for generating the usage model. 
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8. (Original) A system as claimed in claim 7, wherein the network modeling 
system receives flow information describing communications between network 
devices. 

9. (Original) A system as claimed in claim 8, wherein the flow information is 
collected by network conmiunications devices. 

10. (Original) A system as claimed in claim 8, wherein the flow information is 
collected by the access control devices. 

1 1 . (Original) A system as claimed in claim 8, wherein the network modeling 
system discards flow information between network devices in the computer 
network and network devices extemal to the computer network. 

12. (Original) A system as claimed in claim 7, wherein the network modeling 
system compares new network communications to the usage model and updates 
the usage model if the new network communications are not described by the 
usage model. 

13. (Original) A system as claimed in claim 1, wherein entries in the usage 
model comprise source addresses, destination addresses, source ports, and 
destination ports derived from the network communications. 

14. (Original) A system as claimed in claim 1, wherein entries in the usage 
model comprise source addresses, destination addresses, source ports, and 
destination ports derived from the network communications in addition to time 
stamp information indicating when the network communication was last detected. 

15. (Original) A system as claimed in claim 1, wherein entries in the usage 
model comprise source addresses, destination addresses, source ports, and 
destination ports derived from the network communications in addition to 
frequency information indicating a frequency of the network communication. 
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16. (Original) A system as claimed in claim 1, wherein the attack detection 
system monitors communications over the computer network for attack using 
signature detection. 

17. (Original) A system as claimed in claim 1, wherein the attack detection 
system performs heuristic modeling to determine whether the computer network 
is under attack. 

18. (Original) A system as claimed in claim 1, wherein the attack detection 
system monitors communications over the computer network for attack by 
monitoring changes in connections between network devices. 

19. (Original) A system as claimed in claim 1, wherein the control plane receives 
protocol information and/or port information characteristic of the attack and 
generates pass and/or blocking rules for the access control devices. 

20. (Original) A system as claimed in claim 1, wherein the control plane receives 
protocol information and/or port information characteristic of the attack and 
generates pass rules and blocking rules for the access control devices, in which 

the pass rules are generated from the usage model and the blocking rules are 
generated from the protocol information and/or port information characteristic of 
the attack. 

21 . (Previously presented) A method for responding to an attack on a computer 
network, the method comprising: 

generating a usage model for the computer network; 

determining whether the computer network may be under attack; 

in response to detecting attack, determining characteristics of the attack; and 

generating instructions to access control devices compartmentalizing the 

computer network in response to the characteristics of the attack, wherein 
the step of generating instructions to the access control devices comprises 
formulating pass and/or blocking rules for the access control devices in 
response to protocol characteristics and/or port characteristic of the attack; 
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issuing tlie instructions to the access control device which then 

compartmentalize the computer network by implementing the pass and/or 
blocking rules. 

22. (Original) A method as claimed in claim 21, wherein the step of generating 
the usage model comprises saving records describing network communications to 
and from network devices on the computer network. 

23. (Original) A method as claimed in claim 21, wherein the step of generating 
the usage model comprises saving records describing network communications 
between network devices on the computer network. 

24. (Original) A method as claimed in claim 21, wherein the step of generating 
the usage model comprises saving records that include port, protocol, source 
address and destination address of network communications to and from network 
devices on the computer network. 

25. (Original) A method as claimed in claim 21, further comprising the step of 
the access control device compartmentalizing the computer network into separate 

sub-networks of network devices. 

26. (Original) A method as claimed in claim 21, further comprising the step of 
the access control device compartmentalizing the computer network by separating 
host computers from the computer network. 

27. (Original) A method as claimed in claim 21, wherein the step of generating a 
usage model comprises: 

collecting flow information at network communications devices; and 
passing the flow information to a network modeling system. 

28. (Original) A method as claimed in claim 27, wherein the step of collecting 
flow information is performed by the access control devices. 
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29. (Original) A method as claimed in claim 21, wherein the step of generating a 
usage model comprises comparing network communications to the usage model 
and updating the usage model if the network communications are not described by 
the usage model. 

30. (Original) A method as claimed in claim 21, wherein the step of determining 
whether the computer network may be under attack comprises monitoring 
network communications for attack signatures. 

3 1 . (Original) A method as claimed in claim 2 1 , wherein the step of determining 
whether the computer network may be under attack comprises performing 
heuristic modeling to determine whether the computer network is under attack. 

32. (Original) A method as claimed in claim 21, wherein the step of determining 
whether the computer network may be under attack comprises monitoring 
changes in connections between network devices. 

33. (Cancelled) 

34. (Previously presented) A method as claimed in claim 21, wherein the step of 
generating instructions to the access control devices comprises generating pass 
rules and blocking rules for the access control devices, in which the pass rules are 
generated from the usage model and the blocking rules are generated from 
protocol and/or port characteristics of the attack. 

35. (Previously presented) A system for controlling conmiunications over a 
computer network, the system comprising: 

access control devices for the computer network that control communications 

between compartments of the computer network; 
attack detection system for determining whether the computer network may be 

under attack; and 

a control plane for instructing the access control devices to only allow network 
communications between the host computers in different compartments of 
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the computer network based on a usage model describing legitimate 
network communications while restricting all other network 
communications between the host computers, in response to attack. 
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Evidence Appendix 



None 
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Related Proceedings Appendix 



None 
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